This week Google disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier. The flaw that was patched this week could be exploited by attackers to execute code and establish a backdoor on a targeted device. The attackers just need the iPhone’s MAC address or network-port ID.
The vulnerability, tracked as CVE-2017-11120, is a memory corruption vulnerability, Apple addressed it in the security update for the release of iOS 11.
“Attaching exploit for this issue. The exploit gains code execution on the Wi-Fi firmware on the iPhone 7. The password for the archive is “rrm_exploit”.” states the bug report published by Google Project Zero researcher Gal Beniamini.
“The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included). However, some symbols might need to be adjusted for different versions of iOS, see “exploit/symbols.py” for more information.
The Beniamini’s exploit code allowed the expert to establish a backdoor into Broadcom chip’s firmware, which allowed him to remotely read and write commands to the firmware.
Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).” continues the report.
The exploit code works against the firmware packaged with iOS 10.2 and that it should work on versions up to and including 10.3.3. The experts also verified that BCM4355C0 System on Chip with firmware version 188.8.131.52.0.1.56 is vulnerable.
The vulnerability resides the Broadcom chips that are used in the iPhone and other Apple products, including Apple TV and in the Apple Watch.
This vulnerability is similar to the one Gal Beniamini discovered in the Broadcom WiFi SoC (Software-on-Chip) back in April, and the BroadPwn critical remote code execution vulnerability (CVE-2017-3544), that affects the Broadcom BCM43xx family of WiFi chipsets.
Since there is no way to find out if your device
Users urge to update iPhones to iOS 11 because it is not possible to discover if their device is running the firmware version BCM4355C0.
(Security Affairs – WhatsApp, Censorship)